Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

Emil Kvarnhammar, a hacker at Swedish security firm Truesec, calls the vulnerability “rootpipe” and has explained how he found it and how you can protect against it.
It’s a so-called privilege escalation vulnerability, which means that even without a password an attacker could gain the highest level of access on a machine, known as root access. From there, the attacker has full control of the system.It affects the newest OS X release, version 10.10, known as Yosemite. Apple hasn’t fixed the flaw yet, he says, so Truesec won’t provide details yet of how it works.

Great job, Emil Kvarnhammar!

I love it when folks find vulnerabilities. It means they will be fixed and not still out there!

“It all started when I was preparing for two security events, one in Stockholm and one in Malmö,” Kvarnhammar says. “I wanted to show a flaw in Mac OS X, but relatively few have been published. There are a few ‘proof of concepts’ online, but the latest I found affected the older 10.8.5 version of OS X. I couldn’t find anything similar for 10.9 or 10.10.”

Mac users tend to keep their OS more up to date than Windows users, he says, and he wanted to find a vulnerability that would affect current users, so he started digging around in the newer versions of OS X.

So glad there are folks who are vigilant with all the OSes out there.

Many folks think 'oh, my God' when these things are found for Windows, Mac, or Linux.

I think, "thankfully another exploit vector is being fixed!"

All OSes have vulnerabilities and the quicker they are found and fixed, the better.

He didn’t get much of a response, he said, which didn’t surprise him given Apple’s policy of not confirming vulnerabilities. But because Apple agreed to a date when he can publish details of the flaw, he believes the company indirectly confirmed it.“For our part, there was no discussion: we do responsible disclosure,” he said. “But we also wanted to announce that we found a serious flaw; there is a big risk here.”

I liked that he said the following:

Quote

He didn’t get much of a response, he said, which didn’t surprise him given Apple’s policy of not confirming vulnerabilities. But because Apple agreed to a date when he can publish details of the flaw, he believes the company indirectly confirmed it.“For our part, there was no discussion: we do responsible disclosure,” he said. “But we also wanted to announce that we found a serious flaw; there is a big risk here.”

I wish Apple was more forthcoming. It is the one scary thing for Mac users, especially as they incorporate more Windows type networking services into OS X to be more compatible with Corporate world.